IT-Security Gap Analysis: CIS-20 Critical controls

Controls Profile: Make IT Security Measurable

All organisations must comply with Article 32 (GDPR) on security of processing. We show you how to make the subject tangible from an IT perspective by matching the risk involved in your data processing activities to organisational and technical mitigations and processes.

Challenges

Most organisations fail to combine measurable technical solutions with legal measures to comply with Article 32 (GDPR) on security of processing.

Ensuring compliance with Article 32 (GDPR) on security of processing is often a daunting task. Too often organisations address these requirements taking a strict, law-based approach, where technical measurables are not intended to be part of the solution.

Being able to justify that the risk of PII processing is mitigated by adequate cybersecurity measures is difficult and requires multidisciplinary organisational collaboration.

Our approach

Deloitte has invented a method for rapidly pointing to technical and organisational measures that you need to comply with in relation to the individual risk.

Deloitte has invented a method for rapidly pointing to technical and organisational measures that you need to comply with in relation to the individual risk.

Our approach is based on CIS’ critical controls and associated best-practice papers on this subject. This way compliance with Article 32 (GDPR) becomes tangible and practical to track based on ENISA recommendations for small and medium sized enterprises.

  1. Identify all processing activities

    The (documented) records of processing activities is a requirement of the EU General Data Protection Regulation (GDPR). Art. 30 GDPR requires organisations to draw up a list of all activities in which they process personal data (known as the processing activities). To some this overview is known as "data mapping" og "Data Inventory". Usually closely related to the data classification or DPIA if such exists. We will look into the current overview, or lack, and determine a way forward to get the overview.

  2. Perform a risk analysis according to the CIA model

    Anchored in the Data Inventory (processing activities) we will perform a risk assessment associated with GDPR. In case no risk assessment templates or method exist, we will guide you through the process and handover templates such that the proces can be carried forward once we leave the project.

    We cover the different controls which need to be adjusted to your IT landscape. We will ensure to consider not only the best-practice advises but also what is practically doable.

  3. Evaluate mitigations of an organisational and technical nature

    Plan and design risk mitigation actions. We focus mainly on technical controls to ensure the protection of the data.

  4. Match the risk and the mitigation to demonstrate compliance

    We will advise on possible reporting options, including what is currently possible and what is to aspire for, such that quick-wins are identified and captured.

    As the controls are updated and conformities and none-conformities are identified, the organisation learns from the experience and are able to take corrective actions.

  5. Set up measurables and relevant reporting metrics

    Rooted in proven masureabeles and associated metrics (e.g. NIST, CIS) a simple measurement scheme will be designed and implemented.

    The profile comes with an intuitive dashboard where relevant stakeholders get a simple overview of implementation progress. This not only tracks the maturity journey, but also gives Management a reason to invest.

  1. Identify all processing activities
  2. Perform a risk analysis according to the CIA model
  3. Evaluate mitigations of an organisational and technical nature
  4. Match the risk and the mitigation to demonstrate compliance
  5. Set up measurables and relevant reporting metrics

The (documented) records of processing activities is a requirement of the EU General Data Protection Regulation (GDPR). Art. 30 GDPR requires organisations to draw up a list of all activities in which they process personal data (known as the processing activities). To some this overview is known as "data mapping" og "Data Inventory". Usually closely related to the data classification or DPIA if such exists. We will look into the current overview, or lack, and determine a way forward to get the overview.

Anchored in the Data Inventory (processing activities) we will perform a risk assessment associated with GDPR. In case no risk assessment templates or method exist, we will guide you through the process and handover templates such that the proces can be carried forward once we leave the project.

We cover the different controls which need to be adjusted to your IT landscape. We will ensure to consider not only the best-practice advises but also what is practically doable.

Plan and design risk mitigation actions. We focus mainly on technical controls to ensure the protection of the data.

We will advise on possible reporting options, including what is currently possible and what is to aspire for, such that quick-wins are identified and captured.

As the controls are updated and conformities and none-conformities are identified, the organisation learns from the experience and are able to take corrective actions.

Rooted in proven masureabeles and associated metrics (e.g. NIST, CIS) a simple measurement scheme will be designed and implemented.

The profile comes with an intuitive dashboard where relevant stakeholders get a simple overview of implementation progress. This not only tracks the maturity journey, but also gives Management a reason to invest.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.

Reach out

Would you like to know more? Please contact our experts.

Christian Schmidt

Director

Tommaso Di Carlo

Senior Manager